1. Data controller and contact information
The owner of this website and data controller is RefuCo which is a registered auxiliary business name for Spin off Mill Ky. Company is located in Hanko, Finland.
Our registered customers and partners have access to view, edit, delete and download their data via the My pages section.
2. The name and description of the filing system
The name of our filing system is customer register. Customer register consists sub-registers: user register for managing registered users to refuco.fi website, sub-register for invoicing customers and managing data related to that and sub-register for newsletter subscribers.
3. The purpose of personal data processing
Customer data like name, address and other contact information are stored at the customer register in order to perform services,to inform and to market them. Data processing is based either on contract or fulfilling legal obligations. If processing is based on consent (e.g. registered users or newsletter subscribers), the consent will be asked before submitting the registration or other form and is saved to database with other information and timestamp of form submitting.
In case 3rd party services (e.g. Google Drive, Facebook, Asana, Slack or other) is connected to our services, the customer will be informed in advance. His/her consent is asked separately also by the third party.
Cookies are gathered in order to improve user experience when browsing our site and secure sessions especially for our registered customers. Cookies are also used for statistical purposes and targeting our marketing. Cookies store user's IP-addresses for those purposes.
Our principle in always to minimize storing of the personal data. We ask only the information that is necessary to provide, develop our services, and to maintain customer relationship,or to market our services.
4. Categories of data subjects and of the categories of personal data and data content
Data subjects consist of two categories: 1) Customers order our basic services, and 2) sub-contractors who provide us the services we offer to first category. To second category we provide also consulting services called 'RefuCo-entrepreneurs'.
Personal data is categorized accordingly to our filing system. User data is needed to maintain user's details in our system. Invoicing data are needed for invoicing purposes and marketing data are needed to inform or to promote our services.
Typical data processed is contact information like company name, contact person's name company's address, e-mail and phone number. In case when our customer will be a private person, this data will be considered as personal data. Additionally, for invoicing purposes the services will be stored. Also the products which customer has ordered as well as contracts or other relevant documents related to the agreement between customer and us will be stored too.
5. Regular data sources and data disclosing
RefuCo gets the customer's contact details directly from the customer (personally, via e-mail or other preferred messaging methods) or via registration form or other form. Also main- or sub-contractors are possible data sources when customer's contact details are needed to perform the service. Personal data disclosed to us is used only to provide the service in question.
Data can be disclosed to our main- or subcontractors in order to provide the service customer has ordered. Personal data can also be disclosed to partners for marketing or administration (like accounting) purposes. In these cases, main- or sub-contractors are not allowed to use disclosed personal data to any other purpose than to provide the ordered service. They are not allowed to use this data for their marketing purposes.
6. Data disclosing to parties located outside EU/EEA area
The servers we use are located in EU area and most of the personal data is stored here. Therefore personal data is not disclosed outside EU-area in most cases. However it is possible that some of our partner's, e.g. Google, Asana or other, server is located in U.S. or Canada and personal data may be involved in e.g. agreements or other documents. In those cases privacy shield framework system are applied. In U.S. certificates per corporate are required. In such cases we ensure that all our non-EU located partners fulfill this obligation.
7. The protection of our filing system, main principles
Our register is protected by using the following orgalisational and technical measures.
- Personal data protection is valued very high in our organisation and all available measures are used to protect it
- Access to process or view personal data is restricted only to persons who's task it belongs to.
- To prevent unauthorized persons to view data, access levels to data are defined carefully and permits granted to persons accordingly
- In order to access personal data, one has to sign in with his/her personal credentials.
- In services provided through our website we prioritize solutions that will keep personal data completely in our property and we use 3:rd parties solutions only when inevitable.
- In cloud server services we prefer well known and reliable service providers in EU area. SSL protection is required as a default in our websites and webmail services.
- We use reliable and updated virus protection and firewall software in all our devices.
8. Right to review own personal data or delete it (right to be forgotten)
Our customer's and other persons who's data is stored in our property has right to review it and get that data by request. In most cases this can be arranged through user account where user can log in and see the data recorded as well as edit it and even delete data.
If customer is requesting his/her right to be forgotten, personal data will be deleted if it's processing is based only on concent. If data processing is based on e.g. contract or legal requirements, personal details can't be deleted, but in many cases they can be pseudonymised or anonymised.
In case all information is not possible to view through personal user account, that information will be delivered the latest to the customer within 45 days from written (e-mail) request.
9. Right to claim to correct incorrect data
If customer ot other person notices that his/her personal data is incorrect, he/she has in most cases possibility to correct it through personal user account. If that is not possible due to tehcnical or other reasons, he/she can claim it to be corrected. After persons identity is revised, the data will be corrected as soon as possible and in any case within 45 days of the request.
10. Registered's other rights
In GDPR (General Data Protection Regulation) is widely regulated of the rights of the registred. Most of them (related to RefuCo) are described above. We encourage our customers to review the orginal regulation documentation from the link below in order to be aware all rights that our customers have, as well as our obligations related to GDPR.